NTC 2018: Securing Your Website with HTTPS

Transcript

1. SECURING YOUR WEBSITE WITH HTTPS WHAT IT IS AND WHY

   YOU NEED IT — NOW #18NTCHTTPS 04/12/2018 Ben Byrne, Cornershop Creative
 Katherine White, Kanopi Studios

2. GETTING STARTED JOIN THE CONVERSATION ▸ Online: #18NTChttps ▸ Collaborative

   Notes: http://po.st/18NTChttps ▸ Here and now

3. GETTING STARTED WHAT WE’LL DISCUSS ▸ What is HTTPS? ▸

   HTTPS Myths ▸ Security, Privacy, and the Public ▸ Why to update NOW ▸ Benefits and Challenges ▸ Steps to Implement HTTPS

4. GETTING STARTED ABOUT US ▸ Ben Byrne ▸ Co-founder of

   Cornershop Creative ▸ Lives in Santa Rosa, CA ▸ Katherine White ▸ Director of Engineering at Kanopi Studios ▸ Lives in Austin, TX

5. WHAT IS HTTPS?

6. HYPERTEXT TRANSFER PROTOCOL SECURE

7. SECURE ONLINE COMMUNICATIONS HAPPEN WHEN AN SSL CERTIFICATE ISSUED BY

   A CERTIFICATE AUTHORITY ENABLES A SITE TO TRANSFER ENCRYPTED CONTENT OVER A SECURE PROTOCOL.

8. CERTIFICATES WHAT IS HTTPS?

9. WHAT IS HTTPS? “SSL” CERTIFICATES ▸ Digital certificate that authenticates

   the identity of a website ▸ It isn’t actually “SSL” any more, but the term 
 has stuck ▸ Contains information about the certificate holder and authority
10. None

11. WHAT IS HTTPS? “SSL” CERTIFICATE TYPES ▸ Single Domain Certificates

    ▸ Multi-Domain Certificate (MDC) ▸ Wildcard Certificate ▸ CAs cannot issue all types at all levels

12. WHAT IS HTTPS? “SSL” CERTIFICATE LEVELS ▸ Extended Validation (EV)

    Certificates ▸ Highest level of security ▸ Rigorous validation process by the CA ▸ Organization Validated (OV) Certificates ▸ Domain Validated (DV) Certificates ▸ The most common certificate level ▸ Ensures the domain is controlled by the certificate requestor

13. IT’S THE PADLOCK 
 THAT MATTERS.

14. CERTIFICATE AUTHORITIES WHAT IS HTTPS?

15. WHAT IS HTTPS? WHAT IS A “CERTIFICATE AUTHORITY” (CA)? ▸

    Trusted third-party organization ▸ Certifies a website (and the organization behind it) is who it says it is ▸ “Trusted” is defined by web browsers and operating systems

16. ENCRYPTION WHAT IS HTTPS?

17. WHAT IS HTTPS? ENCRYPTION KEYS ▸ Symmetric vs Asymmetric ▸

    Private Key - encrypts content so it cannot be read in transit ▸ Public Key - decrypts content when it reaches its destination ▸ Public Key is available on your SSL Certificate ▸ Private Key exists only on the server

18. WHAT IS HTTPS? THE “HANDSHAKE” ▸ Client says “hello” -

    tells the server what it can handle ▸ Server says “hello” back - tells the client what encryption details will be used ▸ Client checks out the server’s SSL Certificate ▸ Keys are exchanged ▸ Single symmetric key is established for the duration of the conversation

19. WHAT IS HTTPS? ENCRYPTION ALGORITHMS ▸ This is not a

    technical talk! ▸ The way keys are encrypted for exchange ▸ RSA is the most common, and there are lots of RSA cipher suites ▸ Encryption is a giant study in acronyms (RSA, SHA, AES, DES…) ▸ Used to generate your private and public keys based on your certificate type Phew. openssl req -new -sha256 -key www.example.com.key -out www.example.com.csr

20. POSTCARDS HOW IT WORKS

21. PROTOCOLS WHAT IS HTTPS?

22. WHAT IS HTTPS? WHAT ARE SSL AND TLS? ▸ Protocols

    are a set of rules ▸ Defines the steps taken during the “handshake” process ▸ Steps are focused on ensuring the communication is secure ▸ SSL: Secure Sockets Layer - older, now prohibited ▸ TLS: Transport Layer Security - the modern standard ▸ People still use the terms interchangeably

23. WHAT IS HTTPS? USING HTTP STRICT TRANSPORT SECURITY (HSTS) ▸

    Forces a browser to ONLY use HTTPS to interact with the site ▸ Security policy that mitigates some kinds of attacks ▸ Sent by the server ▸ Recommended for the most secure implementation ▸ Comes after getting your certificate set up

24. SECURE ONLINE COMMUNICATIONS HAPPEN WHEN AN SSL CERTIFICATE ISSUED BY

    A CERTIFICATE AUTHORITY ENABLES A SITE TO TRANSFER ENCRYPTED CONTENT OVER A SECURE PROTOCOL.

25. HTTPS MYTHS

26. IT SECURES YOUR SITE MYTH #1

27. IT SECURES YOUR SERVER MYTH #2

28. IT AFFECTS PERFORMANCE MYTH #3

29. YOU WON’T GET HACKED MYTH #4

30. IT ENSURES USER PRIVACY MYTH #5

31. IT IS ALL OR NOTHING MYTH #6

32. IT’S EXPENSIVE MYTH #7

33. PUBLIC PERCEPTION WHY IT MATTERS

34. A MAJORITY OF AMERICANS (64%) HAVE PERSONALLY EXPERIENCED A MAJOR

    DATA BREACH. Pew Research Center, 2017 WHY IT MATTERS

35. ROUGHLY HALF OF AMERICANS (49%) FEEL THAT THEIR PERSONAL INFORMATION

    IS LESS SECURE THAN IT WAS FIVE YEARS AGO. Pew Research Center, 2017 WHY IT MATTERS

36. AMERICANS CONSISTENTLY LACK CONFIDENCE IN THE SECURITY OF EVERYDAY COMMUNICATION

    CHANNELS AND THE ORGANIZATIONS THAT CONTROL THEM – PARTICULARLY WHEN IT COMES TO THE USE OF ONLINE TOOLS. Pew Research Center, 2016

37. Pew Research Center, 2014

38. WHY IT MATTERS SOCIAL MEDIA ▸ Users are increasingly calling

    out organizations that do not have secure sites ▸ Especially applies to logins and financial transactions ▸ Will only increase with Chrome move in July (55% of browser use)

39. SECURITY IS NOT PRIVACY

40. WHY NOW? THE TREND TOWARDS SECURITY

41. LET’S ENCRYPT 2014 - HTTPS EVERYWHERE

42. IT’S FREE FOR MOST SITES!

43. ALMOST 80% OF US WEB TRAFFIC IS ENCRYPTED https://letsencrypt.org/stats/

44. GOOGLE IS COMING FOR YOU JULY 2018

45. BENEFITS HTTPS

46. PROTECTS USERS SECURITY

47. PROTECTS ADMINISTRATORS SECURITY

48. BROWSER WARNINGS PERCEPTION

49. HIGHER CONVERSIONS TRUST

50. BETTER RANKINGS SEO

51. APP-LIKE FEATURES TECHNOLOGY

52. CHALLENGES HTTPS

53. ALL CONTENT ON THE SITE COMPREHENSIVENESS

54. COST EFFORT

55. STAKEHOLDERS SKEPTICISM

56. DECISIONS COMPLEXITY

57. THE PROCESS STEP BY STEP

58. BACK UP EVERYTHING. THEN DO IT AGAIN.

59. IDENTIFY YOUR DOMAINS STEP 1

60. STEP 1: IDENTIFY YOUR DOMAINS TIPS ▸ Determine your strategy

    for managing subdomains, especially if you have a large network of sites ▸ If it is only a few subdomains, it’s straightforward to add them to a single Multi-Domain Certificate (MDC) ▸ Let’s Encrypt now supports wildcard certificates

61. FIND A CERTIFICATE PROVIDER STEP 2

62. STEP 2: FIND A CERTIFICATE PROVIDER TIPS ▸ Determine the

    level and type of certificate(s) needed by your organization ▸ See what relationships your hosting provider may already have ▸ Let’s Encrypt offers free Domain Validated certificates for sites

63. STEP 2: FIND A CERTIFICATE PROVIDER TOOLS ▸ Let’s Encrypt

    - https://letsencrypt.org/ ▸ CloudFlare - https://www.cloudflare.com/ssl/ ▸ Comodo - https://www.comodo.com/ ▸ GlobalSign - https://www.globalsign.com/ ▸ …and many others

64. GET & INSTALL CERTIFICATE(S) STEP 3

65. STEP 3: GET & INSTALL CERTIFICATE(S) TIPS ▸ Check with

    your hosting provider — many have built-in support TOOLS ▸ Certbot (uses Let’s Encrypt) https://certbot.eff.org/ ▸ https://www.eff.org/https-everywhere/deploying-https

66. UPDATE URLS STEP 4

67. STEP 4: UPDATE URLS ASSET CHECKLIST ▸ Fonts ▸ Images

    ▸ Scripts & Stylesheets ▸ Social media ▸ Embedded media (audio, video) ▸ Iframes ▸ Tracking scripts like CRM and analytics tools

68. STEP 4: UPDATE URLS TIPS ▸ Think about links between

    your site content as well as links to your assets ▸ Ensure all form submissions, including those embedded from third-party tools, are using HTTPS ▸ Assets served from a CDN must also be secured, if applicable ▸ Tools included by your third party tools affect you, too

69. STEP 4: UPDATE URLS TOOLS ▸ Chrome Lighthouse 
 https://developers.google.com/web/tools/lighthouse/

    ▸ Why no Padlock? 
 https://www.whynopadlock.com/

70. VERIFY HTTPS WORKS STEP 5

71. STEP 5: VERIFY HTTPS WORKS TIPS ▸ Validate your configuration

    after you deploy your certificate to make sure everything is set up correctly ▸ Run another content scan (see the Step 5 tools) to be sure all URLs have been converted ▸ Don’t require HTTPS (Step 6) until everything works the way you want it to

72. STEP 5: VERIFY HTTPS WORKS TOOLS ▸ SSL Labs -

    https://www.ssllabs.com/ ▸ DigiCert configuration check - https://www.digicert.com/help/ ▸ Comodo SSL analyzer - https://sslanalyzer.comodoca.com/ ▸ Chrome Lighthouse - https://developers.google.com/web/tools/ lighthouse/

73. FORCE HTTPS WITH REWRITES STEP 6

74. STEP 6: FORCE HTTPS TIPS ▸ Your web host should

    provide platform-specific documentation ▸ Some have an automated implementation ▸ Usually managed at the web server level ▸ Now’s a good time to update Google Webmaster Tools/Search Console

75. IMPLEMENT HSTS STEP 7

76. STEP 7: IMPLEMENT HSTS TIPS ▸ Start with a short

    time-to-live (TTL) of 5 minutes; increase this in stages (one week and one month) ▸ Once your testing is complete, consider HSTS Preloading ▸ Adds you to a global list of hosts who enforce HSTS that is built in to a browser ▸ Reduces any vulnerability that comes with the first request to a site ▸ Requires that all your subdomains use HTTPS ▸ Submit a preload request (and read the requirements):
 https://hstspreload.org/

77. CELEBRATE STEP 8

78. WRAP UP THANK YOU! ▸ Provide your feedback: http://po.st/FTOiLr Ben

    Byrne Founder & Chief Creative Officer
 Cornershop Creative
 [email protected] 
 @drywall Katherine White
 Director of Engineering
 Kanopi Studios
 [email protected] 
 @katherinemwhite

79. FOOD FOR THOUGHT YOUR PERSPECTIVE ▸ What is your biggest

    concern with moving to HTTPS? ▸ What horror stories have you heard, or lived through? ▸ Are there ways you feel HTTPS will impact your site that we haven’t talked about?